Date: Sat, 22 Sep 2007 16:17:40 +0200 From: Christer Hermansson <mail@chdevelopment.se> To: freebsd-net@freebsd.org Subject: Firewall and VPN considerations Message-ID: <46F52404.2090903@chdevelopment.se>
next in thread | raw e-mail | index | archive | help
Hello I am planning on setting up a FreeBSD Firewall that will be used to protect a LAN. The firewall will also act as a VPN-gateway for external workstations running Windows XP Professional, I will use Microsoft's ipsec software included in the Windows XP. I will also use the firewall's external side to connect with ipsec to other LAN which have Cisco VPN equipment. The firewall will use IPFW and doing NAT for the internal LAN. I would like to have som advice/opinions on the following isusses: - To achive NAT with IPFW I must use ipdivert, no other methods exists, wrong or right ? - In this thread http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015290.html they say quad core does not raise the performance compared to duo core when building a router. I will have more than packet forwarding and userland processes, e.g. NAT and IPSEC so I think more cores will help. Should I get a machine with duo core cpu or quad core cpu, does quad helps the performance ? - In this thread http://lists.freebsd.org/pipermail/freebsd-net/2006-June/010909.html they suggest not to use gif together with ipsec to achive compatibility with cisco etc, so I'm planing to skip gif, wrong or right ? What are the benefits of using gif ? - In this mail http://lists.freebsd.org/pipermail/freebsd-doc/2007-June/012632.html they suggest gif and FAST_IPSEC. On the man page for FAST_IPSEC(4) I find the text "is an experimental implementation", maybe the man page just needs an update or is FAST_IPSEC not suited for production environments ? In the offcial FreeBSD handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html they say not to use FAST_IPSEC, and show the use of gif, however I think this needs to be updated/rewritten. (If I get the time I really feel for writing an alternative page about IPSEC with FreeBSD and maybe the result get accepted for inclusion in the handbook.) -- Christer Hermansson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F52404.2090903>